[ On , January 16, 1999 at 22:37:50 (GMT), Dan Astoorian wrote: ]
> Subject: Re: Restricting RSA Authentication.
>
> In article <>,
> Stephen Carville <[EMAIL PROTECTED]> wrote:
> >John Riddoch wrote:
> >>
> >> Shiloh Costa wrote:
> >> >
> >> > The only way I can think of is to pre-create an .ssh directory, and chown
> >> > it to root with no write permissions.
> >>
> >> Doesn't work; since the user has rwx permission in their home directory,
> >> they can just delete anything below it.
> >
> >Create a file in .ssh owned by root with owner write only. Change the
> >owner of .ssh to root and set it owner write only. Now the user cannot
> >delete the directory.
>
> Also doesn't work: the user can still `mv' the directory to a new name
> and create a new, writable ~/.ssh directory in its place.
Indeed. Special immutable flags aside, it seems as though the wrong
tact is taken to this problem.
First off you have to decide if you really want to make this restriction
on the client side, or not, and if you do decide to do this on the
client whether or not you think you can enforce that decision. (NOT! ;-)
Secondly, you have the source code and you can eliminate the use of
directories under the user's control (in either the client or server).
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
